Newer
Older
## Class for ldap backups to AWS and GCP
class su_ldap::backups(
#
$env = undef,
#
) {
## This section is the sync of the daily backups to AWS S3, only done for the masters
# first, put awscli on the host - you don't have to use python if you have puppet
package { 'awscli': ensure => present }
# Add the service/ldap keytab to the above primary keytab. This is only
# needed by the master.
if ( $env == 'prod') {
$service_name = "service/ldap"
$master_name = "ldap/ldap-master.stanford.edu"
} else {
$service_name = "service/ldap-${env}"
$master_name = "ldap/ldap-${env}master.stanford.edu"
}
# cron jobs we care about
file {
'/etc/cron.d/master-audit':
mode => '0644',
source => 'puppet:///modules/su_ldap/etc/cron.d/master-audit';
'/etc/cron.d/master-restart':
mode => '0644',
content => template('su_ldap/etc/cron.d/master-restart.erb');
'/etc/cron.d/remctl-acl-mais-staff':
source => 'puppet:///modules/su_ldap/etc/cron.d/remctl-acl-mais-staff';
}
# We want a newsyslog task to rotate the LDAP _data_ (as opposed to the
# LDAP logs) into a local directory. If this is the production master,
# we want to rotate the data into AFS as well.
#
$save_to_afs = true
file { '/etc/newsyslog/master':
ensure => file,
mode => '0644',
content => template('su_ldap/etc/newsyslog/master.erb'),
require => File['/etc/newsyslog'],
}
## Directory where we put GCP credentials
file {'/etc/ldapadmin':
ensure => directory;
}
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# third, pick your bucket and credentials
case $env {
'prod' : {
$s3bucket = 's3://060553448345-authnz-prod-ldapdumps/'
$s3creds = 'config/its-idg/aws-s3-ldap-prod/access-keys'
}
default: {
$s3bucket = 's3://608913223100-authnz-x-ldapdumps/'
$s3creds = 'config/its-idg/aws-s3-ldap-non-prod/access-keys'
}
}
# $wallet_name = "service/its-idg/git-cn-config-sshkey/ldap-${suffix}"
base::wallet { $s3creds:
ensure => 'present',
path => '/etc/ssl/private/s3bucket-keys',
type => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
# Module for google cloud SDK Installation
include package_google_cloud_sdk
# Pickup right environment credentials from wallet
## Production ldapuser serviceaccount
$gcs_credentials_prod = 'password/its-idg/gcs/prod-ldapuser_serviceaccount'
## Stage ldapuser service account
$gcs_credentials_stage = 'password/its-idg/gcs/stage-ldapuser_serviceaccount'
# get ldapuser service account
base::wallet { $gcs_credentials_stage:
ensure => 'present',
path => '/etc/ldapadmin/gcs_stage_ldapuser_serviceaccount.json',
type => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
if ( $env == 'prod') {
base::wallet { $gcs_credentials_prod:
ensure => 'present',
path => '/etc/ldapadmin/gcs_prod_ldapuser_serviceaccount.json',
type => 'file',
owner => 'root',
group => 'root',
mode => '0640',
}
}